Markdown based Stored XSS in Zendesk !
How markdown can help in triggering XSS ?
Now that was a simple markdown XSS and I was disappointed as I was not the one to find it first. So I decided to play with the same bug and see if I can come up with a bypass for it. But unfortunately, things were not as easy as it looked. Zendesk team did a good work fixing it and no matter what I tried, it didn’t work. Then I came across an awesome blog by Shubham Shah where he explains a lot of good markdown based XSS vectors which includes:
But none of the above seemed to be working (Zendesk filters are good !). I was about to stop looking, but suddenly something crossed my mind. The original report was based on XSS vectors which starts with
I knew this, but it never crossed my mind until I read Shubham’s blog. The simple base64 payload with
data:text/html;base64 executes properly in any browser. As the last report was fixed by filtering out the keyword
Zendesk team was kind enough to pay me $500 for the report.